From 840eb2f519d8d7cbc6bf9e277523f9603102ed86 Mon Sep 17 00:00:00 2001 From: Karneades Date: Thu, 4 Apr 2019 22:25:05 +0200 Subject: [PATCH 1/4] Remove too loose filter in notepad updater rule --- rules/windows/process_creation/win_susp_gup.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index aef75ec4e..d003ff507 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -14,8 +14,6 @@ logsource: detection: selection: Image: '*\GUP.exe' - filter: - Image: '*\updater\*' condition: selection and not filter falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater From 788e75ef1b073f5dedd7eda5553d683809a59115 Mon Sep 17 00:00:00 2001 From: Karneades Date: Thu, 4 Apr 2019 22:32:21 +0200 Subject: [PATCH 2/4] Fix condition --- rules/windows/process_creation/win_susp_gup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index d003ff507..99920288d 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -14,7 +14,7 @@ logsource: detection: selection: Image: '*\GUP.exe' - condition: selection and not filter + condition: selection falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high From d872c52a43c42a4f10cb7519da90a5d6cb0e7183 Mon Sep 17 00:00:00 2001 From: Karneades Date: Mon, 15 Apr 2019 08:12:12 +0200 Subject: [PATCH 3/4] Add restricted filters to notepad++ gup.exe rule --- rules/windows/process_creation/win_susp_gup.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 99920288d..20e1cdd79 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -14,7 +14,12 @@ logsource: detection: selection: Image: '*\GUP.exe' - condition: selection + filter: + Image: + - 'C:\Users\*\AppData\Roaming\Notepad++\updater\gup.exe' + - 'C:\Program Files\Notepad++\updater\gup.exe' + - 'C:\Program Files (x86)\Notepad++\updater\gup.exe' + condition: selection and not filter falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high From 612a7642d2e35b65933d1e6ec27b5231b115b9b9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 15 Apr 2019 08:47:53 +0200 Subject: [PATCH 4/4] Added Local directory --- rules/windows/process_creation/win_susp_gup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 20e1cdd79..5ee09618e 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -16,6 +16,7 @@ detection: Image: '*\GUP.exe' filter: Image: + - 'C:\Users\*\AppData\Local\Notepad++\updater\gup.exe' - 'C:\Users\*\AppData\Roaming\Notepad++\updater\gup.exe' - 'C:\Program Files\Notepad++\updater\gup.exe' - 'C:\Program Files (x86)\Notepad++\updater\gup.exe'